From 2f7303c00e37729b176ca5e645d97e555aa1c4fd Mon Sep 17 00:00:00 2001
From: hickert <hickert@594d385d-05f5-0310-b6e9-bd551577e9d8>
Date: Fri, 27 Aug 2010 12:47:12 +0000
Subject: [PATCH] Added escapeshellargs for security reasons

git-svn-id: https://oss.gonicus.de/repositories/gosa/branches/2.6@19474 594d385d-05f5-0310-b6e9-bd551577e9d8
---
 gosa-core/include/functions.inc | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/gosa-core/include/functions.inc b/gosa-core/include/functions.inc
index 9a06ea1c1..f2e0a9111 100644
--- a/gosa-core/include/functions.inc
+++ b/gosa-core/include/functions.inc
@@ -2676,7 +2676,7 @@ function get_base_from_hook($dn, $attrib)
     $command= $config->get_cfg_value("baseIdHook");
 
     if ($command != ""){
-      $command.= " '".LDAP::fix($dn)."' $attrib";
+      $command.= " ".escapeshellarg(LDAP::fix($dn))." ".escapeshellarg($attrib);
       if (check_command($command)){
         @DEBUG (DEBUG_SHELL, __LINE__, __FUNCTION__, __FILE__, $command, "Execute");
         exec($command, $output);
@@ -3059,8 +3059,8 @@ function change_password ($dn, $password, $mode=0, $hash= "")
 
       if ($command != ""){
         /* Walk through attribute list */
-        $command= preg_replace("/%userPassword/", $password, $command);
-        $command= preg_replace("/%dn/", $dn, $command);
+        $command= preg_replace("/%userPassword/", escapeshellarg($password), $command);
+        $command= preg_replace("/%dn/", escapeshellarg($dn), $command);
 
         if (check_command($command)){
           @DEBUG (DEBUG_SHELL, __LINE__, __FUNCTION__, __FILE__, $command, "Execute");
-- 
2.30.2